I like to split up tasks in small subtasks.
It's true that #13655 benefits from this feature but it can be implemented without this ticket. This enhancement also requires some addition to API and bindings to Windows' crypt32.dll. It might be inappropriate to add it to #13655 because we need to backport #13655 to Python 2.6 to 3.3.

> Sounds promising. Do you think this should be hooked into SSLContext.set_default_verify_paths, or be exposed as a separate method?
If there were an API which exposed the certificate material, then this would be more useful to libraries trying to do other things (present debugging information, use an alternate SSL implementation *wink*, etc). If this is *only* wrapped up inside set_default_verify_paths then many of these extra things are impossible with a seconding binding to the same API.

Yes, I'm planing to expose the low level API. I prefer to do as much work in Python space as possible. The information is just too useful to 3rd parties, too.
I'm thinking about one low level function that interfaces Windows's cert store. The rest can be build on top of this function and #18138.
enum_system_store(store_name, cert_type="certificate") -> [(cert_data, encoding_type), ...]
store_name:
name of the store (e.g. "CA", "MY", "ROOT"), see http://msdn.microsoft.com/en-us/library/windows/desktop/aa376560%28v=vs.85%29.aspx
cert_type:
"certificate" or "crl"
data:
certificate bytes (as far as I know the certs are stored in DER format)
encoding_type:
integer encoding X509_ASN_ENCODING or PKCS_7_ASN_ENCODING

> New changeset 10d325f674f5 by Christian Heimes in branch 'default':
> Issue #17134: Add ssl.enum_cert_store() as interface to Windows' cert store.
> http://hg.python.org/cpython/rev/10d325f674f5
I don't want to sound annoying, but I would have liked to review this
before it goes in. Could it wait a few days? (I'm sure it can :-))

The new patch splits up the one function into enum_certificates() and enum_crls(). enum_certificates() now returns also trust settings for the certificate. Internally it maps the most common OIDs to human readable names.
The patch comes without doc updates yet.

Here is a simplified version of my patch with doc updates.
Changes:
- Different functions for certs and CRLs: enum_certificates() / enum_crls()
- encoding is now a string ('x509_asn' or 'pkcs_7_asn')
- for certificates trust information is either a set of OIDs or True. The OIDs can be interpreter with the new functions #19448.
Both functions are intended to be low level interfaces to Window's cert store.